CLAIMS 

What is claimed is: 



1 1 . A method of providing client security for networked services, the method comprising 

2 the computer-implemented steps of: 

3 storing a credential such that the credential is accessible only by using a local security 

4 authority; 

5 generating a secret value corresponding to the credential; and 

6 storing the secret value in a secret file that can be modified and retrieved only by a 

7 first user. 

12. A method as recited in claim 1 , further comprising: 

2 receiving user information provided by the first user; 

3 authenticating the first user based, at least in part, on the user information; 

4 determining the credential based, at least in part, on the user information; 

5 associating the credential with the first user; and 

6 associating a credential identifier with the credential. 



1 3. A method as recited in claim 2, wherein determining the credential includes using the 

2 local security authority to exchange information, including at least part of said user 

3 information, with a security server. 

14. A method as recited in claim 2, wherein authenticating the first user includes 

2 exchanging information, representing at least a part of the user information, with a 

3 security server by using the local security authority. 
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1 5. A method as recited in claim 4, wherein exchanging information and determining the 

2 credential includes conducting a Kerberos exchange with a Kerberos security server 

3 whereby when information is passed from the local security authority to the Kerberos 

4 security server, the Kerberos security server determines the credential based, at least 

5 in part, on the information from the local security authority, and passes the credential 

6 to the local security authority. 

16. A method as recited in claim 1 , wherein generating and writing the secret value 

2 includes using the local security authority. 

1 7. A method as recited in claim 2, further comprising: 

2 receiving a request to retrieve the credential; 

3 retrieving the secret value; 

4 retrieving the credential identifier, using the secret value; and 

5 retrieving the credential, using the credential identifier. 

1 8. A method as recited in claim 7, further comprising: 

2 passing the credential identifier from the local security authority to an application 

3 client; 

4 receiving a request to initialize a security context; 

5 obtaining authentication information by using the local security authority and using 

6 the credential; 

7 passing the authentication information to a security library; and 
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8 passing the authentication information from the security library to the application 

9 client, thereby facilitating initialization of the security context, wherein 

10 retrieving the credential includes identifying the credential that corresponds to 

1 1 the secret value and to the credential identifier by using the local security 

12 authority. 

1 9. A method as recited in claim 7, wherein the secret value is retrieved only if the 

2 request to retrieve the credential is received from the first user. 

1 10. A method as recited in claim 1, further comprising: 

2 retrieving the secret value from the secret file; 

3 passing the secret value to the local security authority; 

4 identifying the credential to which the secret value corresponds by using the local 

5 security authority to correlate a characteristic of the secret value with a 

6 characteristic of the credential; 

7 obtaining authentication information from a security server, using the credential and 

8 the local security authority; and 

9 passing authentication information from the local security authority to an application 

10 client, wherein the authentication information can operate with the application 

1 1 client to access a computer networked service. 
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1 11. A method as recited in claim 1 0, wherein retrieving and passing the secret value 

2 include using a security library to access the secret file, to read the secret value, and 

3 to communicate the secret value to the local security authority. 

1 12. A method as recited in claim 10, wherein the method further comprises receiving user 

2 information provided by the first user; and wherein obtaining the authentication 

3 information includes exchanging information with the security server by using the 

4 local security authority to initiate communication with the security server, to pass at 

5 least part of the user information to the security server, and to receive authentication 

6 information from the security server. 

1 13. A method as recited in claim 1, wherein the credential is associated with a first 

2 application and a set of permissions, and wherein the method further comprises: 

3 storing a second credential associated with a second application, in memory 

4 associated with the local security authority, wherein the second credential is 

5 associated with a subset of the set of permissions; 

6 generating a second secret value corresponding to the second credential; 

7 storing the second secret value in a second secret file; and 

8 limiting access to the second secret file to only the second application when invoked 

9 by the first user. 

1 14. A method as recited in claim 13, further comprising: 

2 receiving a request from the second application to retrieve the second credential; 

3 retrieving the second secret value from the second secret file; 
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4 passing the second secret value to the local security authority; 

5 confirming the request is from the second application; 

6 identifying the second credential to which the second secret value corresponds by 

7 using the local security authority to correlate a characteristic of the second 

8 secret value with a characteristic of the second credential; 

9 obtaining second authentication information from a security server, using the second 

10 credential and the local security authority; and 

1 1 passing the second authentication information from the local security authority to a 

12 second application client, wherein the second authentication information can 

1 3 operate with the second application client to access a computer networked 

14 service. 

1 15. A computer readable medium containing program instructions for limiting access to a 

2 credential that can facilitate access by a first user to a computer networked service on 

3 a networked computer system, wherein when the computer readable medium is read 

4 by a computer system having a processor and memory the program instructions are 

5 configured to be executed by the processor, the computer readable medium 

6 comprising: 

7 program instructions for storing the credential such that the credential is accessible 

8 only by using a local security authority; 

9 program instructions for generating a secret value corresponding to the credential; and 

10 program instructions for storing the secret value in a secret file that can be modified 

1 1 and retrieved only by the first user. 



1 16. A computer-readable medium as recited in claim 1 5, further comprising: 
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2 program instructions for recognizing user information provided by the first user; 

3 program instructions for authenticating the first user based, at least in part, on the user 

4 information; 

5 program instructions for determining the credential based, at least in part, on the user 

6 information; 

7 program instructions for associating the credential with the first user; and 

8 program instructions for associating a credential identifier with the credential. 

1 17. A computer readable medium as recited in claim 16, wherein the program instructions 

2 for determining the credential include program instructions for using the local 

3 security authority to exchange information, including at least part of the user 

4 information, with a security server. 

1 18. A computer readable medium as recited in claim 16, further comprising: 

2 program instructions for recognizing a request to retrieve the credential; 

3 program instructions for retrieving the secret value; 

4 program instructions for retrieving the credential identifier, using the secret value; 

5 and 

6 program instructions for retrieving the credential, using the credential identifier. 

1 19. A computer readable medium as recited in claim 1 8, further comprising: 

2 program instructions for passing the credential identifier from the local security 

3 authority to an application client; 

4 program instructions for receiving a request to initialize a security context; 
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5 program instructions for obtaining authentication information by using the local 

6 security authority and using the credential; 

7 program instructions for passing the authentication information to a security library; 

8 and 

9 program instructions for passing the authentication information from the security 

10 library to the application client, thereby initializing the security context, 

1 1 wherein retrieving the credential includes identifying the credential that 

12 corresponds to the secret value and to the credential identifier, by using the 

1 3 local security authority. 

1 20. A computer readable medium as recited in claim 15, further comprising: 

2 program instructions for retrieving the secret value from the file; 

3 program instructions for passing the secret value to the local security authority; 

4 program instructions for identifying the credential to which the secret value 

5 corresponds, by using the local security authority to correlate a characteristic 

6 of the secret value with a characteristic of the credential; 

7 program instructions for obtaining authentication information from a security server, 

8 using the credential and the local security authority; and 

9 program instructions for passing authentication information from the local security 

10 authority to an application client, wherein the authentication information can 

1 1 operate with the application client to access the computer networked service. 

1 21. A computer system configured to provide client security for networked services, the 

2 computer system comprising: 
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3 a local security authority configured to authenticate the identity of a user, to 

4 determine a credential corresponding to the user, to generate a secret value 

5 corresponding to the determined credential, and to determine authorization 

6 information associated with both the user and an application; 

7 local security authority memory associated with the local security authority, 

8 configured only by operation of the local security authority; and 

9 computer-readable memory configured to store a secret file which is configured to 

10 store the secret value and which is readable substantially only by processes 

1 1 executed by the user. 

1 22. The computer system as recited in claim 21 , further comprising: 

2 an application client configured to request processes from an application server; and 

3 a security library associated with the application client, wherein the security library is 

4 configured to receive a request from the application client to initiate a security 

5 context, to obtain the secret value by reading the secret file, to communicate 

6 the secret value to the local security authority, to obtain the authorization 

7 information from the local security authority, and to communicate the 

8 authorization information to the application client. 

1 23. A computer system as recited in claim 21, wherein the local security authority is 

2 configured to authenticate the identity of the user, to determine the credential 

3 corresponding to the user, and to determine authorization information associated with 

4 both the user and an application by receiving user information and exchanging 

5 information, including information representing at least a part of the user information, 

6 with a security server. 
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1 24. An apparatus for providing client security for networked services, comprising: 

2 a network interface that is coupled to a data network for receiving one or more packet 

3 flows therefrom; 

4 a processor; 

5 one or more stored sequences of instructions which, when executed by the processor, 

6 cause the processor to carry out the steps of: 

7 storing a credential such that the credential is accessible only by using a local 

8 security authority; 

9 generating a secret value corresponding to the credential; and 

10 storing the secret value in a secret file that can be modified and retrieved only 

11 by a first user. 

1 25. An apparatus as recited in Claim 24, further comprising one or more stored sequences 

2 of instructions which, when executed by the processor, cause the processor to carry 

3 out the steps of: 

4 receiving user information provided by the first user; 

5 authenticating the first user based, at least in part, on the user information; 

6 determining the credential based, at least in part, on the user information; 

7 associating the credential with the first user; and 

8 associating a credential identifier with the credential. 

1 26. An apparatus as recited in Claim 25, wherein determining the credential includes 

2 using the local security authority to exchange information, including at least part of 

3 said user information, with a security server. 
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1 27. An apparatus as recited in Claim 25, wherein authenticating the first user includes 

2 exchanging information, representing at least a part of the user information, with a 

3 security server by using the local security authority. 

1 28. An apparatus as recited in Claim 27, wherein exchanging information and 

2 determining the credential includes conducting a Kerberos exchange with a Kerberos 

3 security server whereby when information is passed from the local security authority 

4 to the Kerberos security server, the Kerberos security server determines the credential 

5 based, at least in part, on the information from the local security authority, and passes 

6 the credential to the local security authority. 

1 29. An apparatus as recited in Claim 24, wherein generating and writing the secret value 

2 includes using the local security authority. 

1 30. An apparatus as recited in Claim 25, further comprising one or more stored sequences 

2 of instructions which, when executed by the processor, cause the processor to carry 

3 out the steps of: 

4 receiving a request to retrieve the credential; 

5 retrieving the secret value; 

6 retrieving the credential identifier, using the secret value; and 

7 retrieving the credential, using the credential identifier. 
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1 3 L An apparatus as recited in Claim 30, further comprising one or more stored sequences 

2 of instructions which, when executed by the processor, cause the processor to carry 

3 out the steps of: 

4 passing the credential identifier from the local security authority to an application 

5 client; 

6 receiving a request to initialize a security context; 

7 obtaining authentication information by using the local security authority and using 

8 the credential; 

9 passing the authentication information to a security library; and 

10 passing the authentication information from the security library to the application 

1 1 client, thereby facilitating initialization of the security context, wherein 

12 retrieving the credential includes identifying the credential that corresponds to 

13 the secret value and to the credential identifier by using the local security 

14 authority. 

1 32. An apparatus as recited in Claim 30, wherein the secret value is retrieved only if the 

2 request to retrieve the credential is received from the first user. 

1 33. An apparatus as recited in Claim 24, further comprising one or more stored sequences 

2 of instructions which, when executed by the processor, cause the processor to carry 

3 out the steps of: 

4 retrieving the secret value from the secret file; 

5 passing the secret value to the local security authority; 
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6 identifying the credential to which the secret value corresponds by using the local 

7 security authority to correlate a characteristic of the secret value with a 

8 characteristic of the credential; 

9 obtaining authentication information from a security server, using the credential and 

10 the local security authority; and 

1 1 passing authentication information from the local security authority to an application 

12 client, wherein the authentication information can operate with the application 

13 client to access a computer networked service. 

1 34. An apparatus as recited in Claim 33, wherein retrieving and passing the secret value 

2 include using a security library to access the secret file, to read the secret value, and to 

3 communicate the secret value to the local security authority. 

1 35. An apparatus as recited in Claim 33, further comprising one or more stored sequences 

2 of instructions which, when executed by the processor, cause the processor to carry 

3 out the step of receiving user information provided by the first user; and wherein 

4 obtaining the authentication information includes exchanging information with the 

5 security server by using the local security authority to initiate communication with the 

6 security server, to pass at least part of the user information to the security server, and 

7 to receive authentication information from the security server. 

1 36. An apparatus as recited in Claim 24, wherein the credential is associated with a first 

2 application and a set of permissions, and wherein the apparatus further comprises one 

3 or more stored sequences of instructions which, when executed by the processor, 

4 cause the processor to carry out the steps of: 
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5 storing a second credential associated with a second application, in memory 

6 associated with the local security authority, wherein the second credential is 

7 associated with a subset of the set of permissions; 

8 generating a second secret value corresponding to the second credential; 

9 storing the second secret value in a second secret file; and 

10 limiting access to the second secret file to only the second application when invoked 

11 by the first user. 

1 37. An apparatus as recited in Claim 36, further comprising one or more stored sequences 

2 of instructions which, when executed by the processor, cause the processor to carry 

3 out the steps of: 

4 receiving a request from the second application to retrieve the second credential; 

5 retrieving the second secret value from the second secret file; 

6 passing the second secret value to the local security authority; 

7 confirming the request is from the second application; 

8 identifying the second credential to which the second secret value corresponds by 

9 using the local security authority to correlate a characteristic of the second 

10 secret value with a characteristic of the second credential; 

1 1 obtaining second authentication information from a security server, using the second 

12 credential and the local security authority; and 

13 passing the second authentication information from the local security authority to a 

14 second application client, wherein the second authentication information can 

15 operate with the second application client to access a computer networked 

16 service. 
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1 38. An apparatus providing client security for networked services, comprising: 

2 means for storing a credential such that the credential is accessible only by using a 

3 local security authority; 

4 means for generating a secret value corresponding to the credential; and 

5 means for storing the secret value in a secret file that can be modified and retrieved 

6 only by a first user. 

1 39. An apparatus as recited in Claim 38, further comprising: 

2 means for receiving user information provided by the first user; 

3 means for authenticating the first user based, at least in part, on the user information; 

4 means for determining the credential based, at least in part, on the user information; 

5 means for associating the credential with the first user; and 

6 means for associating a credential identifier with the credential. 

1 40. An apparatus as recited in Claim 39, wherein determining the credential includes 

2 using the local security authority to exchange information, including at least part of 

3 said user information, with a security server. 

1 41 . An apparatus as recited in Claim 39, wherein authenticating the first user includes 

2 exchanging information, representing at least a part of the user information, with a 

3 security server by using the local security authority. 

1 42. An apparatus as recited in Claim 41, wherein exchanging information and 

2 determining the credential includes conducting a Kerberos exchange with a Kerberos 



50325-0880 (Seq. No. 8921) 



3 security server whereby when information is passed from the local security authority 

4 to the Kerberos security server, the Kerberos security server determines the credential 

5 based, at least in part, on the information from the local security authority, and passes 

6 the credential to the local security authority. 

1 43. An apparatus as recited in Claim 38, wherein generating and writing the secret value 

2 includes using the local security authority. 

1 44. An apparatus as recited in Claim 39, further comprising: 

2 means for receiving a request to retrieve the credential; 

3 means for retrieving the secret value; 

4 means for retrieving the credential identifier, using the secret value; and 

5 means for retrieving the credential, using the credential identifier. 

1 45. An apparatus as recited in Claim 44, further comprising: 

2 means for passing the credential identifier from the local security authority to an 

3 application client; 

4 means for receiving a request to initialize a security context; 

5 means for obtaining authentication information by using the local security authority 

6 and using the credential; 

7 means for passing the authentication information to a security library; and 

8 means for passing the authentication information from the security library to the 

9 application client, thereby facilitating initialization of the security context, 
10 wherein retrieving the credential includes identifying the credential that 
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1 1 corresponds to the secret value and to the credential identifier by using the 

1 2 local security authority. 

1 46. An apparatus as recited in Claim 44, wherein the secret value is retrieved only if the 

2 request to retrieve the credential is received from the first user. 

1 47. An apparatus as recited in Claim 38, further comprising: 

2 means for retrieving the secret value from the secret file; 

3 means for passing the secret value to the local security authority; 

4 means for identifying the credential to which the secret value corresponds by using 

5 the local security authority to correlate a characteristic of the secret value with 

6 a characteristic of the credential; 

7 means for obtaining authentication information from a security server, using the 

8 credential and the local security authority; and 

9 means for passing authentication information from the local security authority to an 

10 application client, wherein the authentication information can operate with the 

1 1 application client to access the computer networked service. 

1 48. An apparatus as recited in Claim 47, wherein retrieving and passing the secret value 

2 include using a security library to access the secret file, to read the secret value, and to 

3 communicate the secret value to the local security authority. 

1 49. An apparatus as recited in Claim 47, further comprising a means for receiving user 

2 information provided by the first user; and wherein obtaining the authentication 

3 information includes exchanging information with the security server by using the 
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4 local security authority to initiate communication with the security server, to pass at 

5 least part of the user information to the security server, and to receive authentication 

6 information from the security server. 

1 50. An apparatus as recited in Claim 38, wherein the credential is associated with a first 

2 application and a set of permissions, and wherein the apparatus further comprises: 

3 means for storing a second credential associated with a second application, in memory 

4 associated with the local security authority, wherein the second credential is 

5 associated with a subset of the set of permissions; 

6 means for generating a second secret value corresponding to the second credential; 

7 means for storing the second secret value in a second secret file; and 

8 means for limiting access to the second secret file to only the second application 

9 when invoked by the first user. 
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1 51. An apparatus as recited in Claim 50, further comprising: 

2 means for receiving a request from the second application to retrieve the second 

3 credential; 

4 means for retrieving the second secret value from the second secret file; 

5 means for passing the second secret value to the local security authority; 

6 means for confirming the request is from the second application; 

7 means for identifying the second credential to which the second secret value 

8 corresponds by using the local security authority to correlate a characteristic 

9 of the second secret value with a characteristic of the second credential; 

10 means for obtaining second authentication information from a security server, using 

1 1 the second credential and the local security authority; and 

12 means for passing the second authentication information from the local security 

13 authority to a second application client, wherein the second authentication 

14 information can operate with the second application client to access a 

1 5 computer networked service. 
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